August 11, 2016

Top 6 Employee Errors That Cause Data Breaches

Research over the last few years has identified human error as a leading cause of data breaches in workplaces around the world.

One good example is the 2016 Shred-it Security Tracker, which showed a significant 24% of all Canadian data breaches were caused by employee negligence or human error.

What are the most common employee errors in the workplace that lead to data breaches?

  1. Falling for a phishing scam.  Employees will receive emails from fraudulent sources that try to lure them to download malicious files or click on a link to an exploit-laden site. According to the 2016 Verizon Data Breach Investigations Report, 30% of these messages were opened and 13% of employees went on to open a malicious attachment or link.
  2. Losing a laptop.  Laptops containing confidential information are the most common stolen or lost devices across all industries – they go missing from the work area (39%) or a vehicle (34%), according to the Investigations Report. 
  3. Privilege abuse.  Information theft can occur when employees have unnecessary access to information, or access isn’t halted after an employee leaves the company or has been reassigned, according to BakerHostetler’s 2016 Data Security Incident Response Report.
  4. Security mistake.  Close to half of the organizations in the research from Shred-it cited ‘lack of knowledge’ and ‘human error’ around information security protocols as the biggest threats to their company. These types of errors included sending sensitive data to the wrong person.
  5. Passwords. The Verizon report showed that 63% of data breaches involved weak, stolen, or default passwords. 
  6. Improper disposal of information. The Shred-it research identified a lack of protocols for storing and disposing of confidential paper and electronic data. “With little training on information security procedures, employees are forced to make the decision as to what is and what isn’t considered confidential,” said an online statement.  

How can an organization stop these mistakes from happening?

  • Embed security processes into the workplace. For example, partner with an information destruction company that installs locked consoles – employees simply put confidential documents that are no longer needed into the consoles for secure shredding. Implement a Shred-it All Policy as well so that all documents are shredded.
  • Standardize security policies such as a Clean Desk Policy. Employees must clear their work areas, and protect information at all times. Control access to information too.
  • Use technology solutions. Utilize two-factor authentication. Patch promptly. Encrypt data. Data loss prevention (DLP) can detect whether sensitive data is being emailed or copied to a USB stick.
  • Provide on-going training. Teach employees policies and procedures including practical solutions such as how to avoid scams and password hygiene. In Canada, 39% of small businesses (SBOs) never train employees on information security procedures.
  • Protect electronic data. Physically destroy obsolete hardware before disposal. The Shred-it research showed that only 61% of C-Suite executives and 40% of SBOs have a protocol for storing and disposing of electronic data.  

Learning how to identity and stop insider fraud can have a direct impact on the bottom line. A typical organization loses 5% of revenues each year due to fraud.